Weak or nonexistent implementations in computer security
software can leave otherwise-secure computers wide open for attack – so open,
in fact, that in some cases it’s as if there’s no
firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New
York, security researcher Joe Klein of Command Information said
that the internet is full of computers surreptitiously running IPv6,
unbeknownst to their owners. Compounding the problem is the number of operating
systems shipped with IPv6 enabled by default, which includes Windows Vista,
Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones
operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4
firewall or Intrusion Detection System (IDS) in place – are just as naked in
IPv6 space as they would be in IPv4-space without a firewall, with any program
that listens for connections allowed to accept them. Most operating systems, by
default, use a handful of “listeners” used for networking and internal
processes – and it is these listeners that are frequently the first to be
targeted in an attack.

A number of computer worms, including Blaster
and its follow-up Welchia,
worked by exploiting a buffer overflow with Windows’ internal RPC
infrastructure, which listens on port 135 and is ordinarily covered up by a
firewall.

Network administrators who don’t keep tabs of their systems face a huge
risk, said Klein. Operational dangers aside, administrators who work for
organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley
risk non-compliance if they don’t secure their IPv6 implementations – whether
they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein.
“It's like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002
post from Lance Spitzer of the Honeynet project observed a hacker that
broke in to a Solaris-based honeypot through normal means, enabled IPv6
connectivity in the OS, and then set up a tunnel out of the network that went
into another country. The break-in was only discovered due to network
packet-sniffing, and even then Spitzer says he was unable to decode the data
being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes
designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act
of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for
networks that have both IP versions enabled, because tunneling confuses the
heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD
security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as
it can – a widget on Command Interface’s web site estimates that the internet
will run out of IPv4 addresses in about two and a half years – some fear that
technological progress may be outpacing the security that keeps it safe.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

I disagree on several points. IMHO, the article is not FUD - it is attempting to raise awareness of a real concern.

In short - various IPv6-in-IPv4 tunneling mechanisms exist, some light-up automatically and some even work through NATs/PATs/StatefulFWs. Additionally, most installed IPv4 host-based FW products do not filter Protocol 41 nor UDP/3544 and this needs to change ... this is just starting to change (finally).

Some wise person once said something to the effect of - "Just because you don't understand the threat doesn't mean it isn't there" ... good words for those of us in Information Security to keep close to heart./TJ

quote: "Just because you don't understand the threat doesn't mean it isn't there"

By that same token, just because you don't understand the technology does not mean it is a threat.

IPv6 to IPv4 tunneling protocols are NOT enabled by default on any system which supports IPv6. Not Windows XP, not Windows Vista, not Linux, not MacOS X. Which brings us back to the same point: the system must have already been compromised in order to exploit its IPv6 stack as a back door. There is no other way about it.

IPv6 is no more or less vulnerable under any circumstance than IPv4, even when the two are coexisting or when one of the two is not being used.

quote: By that same token, just because you don't understand the technology does not mean it is a threat.

Indeed, but I do understand the technology.

quote:IPv6 to IPv4 tunneling protocols are NOT enabled by default on any system which supports IPv6. Not Windows XP, not Windows Vista, not Linux, not MacOS X. Which brings us back to the same point: the system must have already been compromised in order to exploit its IPv6 stack as a back door. There is no other way about it.

Yes, they are. Sorry, but you are 100% wrong.See my previous comments.

Or, see for yourself - in WinXP, enable IPv6 and look at the tunnel interfaces that light up, ready to work.One will start with 2002::/16 if you have a public IPv4 address; that is 6to4.Another one will include "5efe" in the Interface ID portion of the address, that is ISATAP.Take a peek for Teredo also, it is there (with some potential qualifiers / caveats).

You seem to be overlooking something, that we're talking about compromised systems. The hacker being mindful of this will plan out the attack, it's not just a vulnerability based on some random chance events. What is enabled by default or built into the OS is not necessarily important.